setuid wrapper

Anon

Hi,

I recently signup with a webhost who suggested that PHP was not safe to use and that CGI is te way to go.

"PHP doesn't run under a setuid wrapper, so you need to make php files world readable, meaning anyone on server can read the password from the script. CGI will run fine without world readability."

Is this true? or rather, is there a way around it?? I haven't read much about major secuirty holes in PHP, so I'm a bit unsure about this.

If anyone has any information, please email me.

Thank you,
Nancy

Anon

Hi.

Well, as far as i understand things, both cgi and php may be security breach 🙂

The idea is not to use any system call without being sure it cannot be use in a malicious way (like sending mail to a program or whatever).

In a sense, cgi may be more dangerous as they can be suid, wich is not the case with a php file as an apache module (so no need to use a setuid wrapper: all is done by the user apache is launched by).

To avoid surfer to see my database password in my scripts, i put their definition in a inc directory that is protected with a .htacces (deny from all). My scripts include those neede file, and nobody except apache is able to read those (well, i hope so 🙂) ).

To avoid system user to read it, just chmod o-r them.

By the way, i am no security expert, so don t take what i say for granted, but verify it with your local system admin 🙂

Anon

Melmoth,

I think, the way you describe is not secure. I can bypass your .htaccess. I can make a php script like this.

<?php
passthru(\"ls your_include_directory\");
?>

After I know what files you have, I then
cat the content of the files. For example

<?php
passthru(\"cat your_files\");
?>

Edi
edi_wibowo@eudoramail.com